StoneCypher / jssm / aa01a95a888d54b7d15112badaebaac6f623daf9 / 9

100%

master: 100%

push

github

chore(ci): switch to npm trusted publishing (OIDC)

Replaces the long-lived `NPM_TOKEN` auth path with npm's
Trusted Publisher / OIDC flow.  The release job now exchanges
a short-lived GitHub-issued OIDC token with npm at publish
time, scoped to this specific workflow run.

Workflow changes:
- Add `permissions: id-token: write` on the release job so
  GitHub Actions issues the OIDC token for npm to verify.
- Switch `npm publish` to `npm publish --provenance --access
  public`.  `--provenance` triggers the OIDC code path and
  emits a signed attestation linking the published tarball
  to the exact GitHub Actions run that built it (visible as
  the Provenance badge on the npm package page).
- Remove the `env: NODE_AUTH_TOKEN` block.  The token is no
  longer used by `npm publish`.

Required npm-side configuration (one-time, manual UI work):
- npmjs.com -> jssm package settings -> Trusted Publishers ->
  Add Publisher: GitHub Actions, org `StoneCypher`,
  repo `jssm`, workflow filename `nodejs.yml`, environment
  blank.
- Toggle "Disallow token access" to closed.  Closes the
  parallel long-lived-token attack surface entirely.

Follow-up tasks once the first OIDC-authenticated publish
succeeds:
- Delete the `JSSM_PUBLISH_TOKEN_FOR_GH_CI_CD` automation
  token on npm (Account -> Access Tokens).
- Delete the `JSSM_PUBLISH_TOKEN_FOR_GH_CI_CD` secret in
  this repo's Settings -> Secrets and variables -> Actions.

827 of 827 branches covered (100.0%)

Branch coverage included in aggregate %.

7599 of 7599 relevant lines covered (100.0%)

849.89 hits per line